PacketFence

How to set up and use the powerful open-source network access control solution.

and test the connection with NessusClient, which is available as a
separate download.

Installation

Download the PacketFence RPM from the SourceForge repository,
and install
it using:

rpm -ivh packetfence-1.6.2-1.i386.rpm

In /usr/local/pf, you will find two Perl scripts that will help you with the
necessary configuration steps: installer.pl and configurator.pl. Change
your current directory to /usr/local/pf, and execute
installer.pl. The
script, among other things, sets up the PacketFence database, installs all
the necessary Perl modules (which are quite a few) and creates a user
account for the Web GUI.

Configuration Steps

Now, the real configuration work starts. First, execute
configurator.pl, and you'll be offered several
choices. Choose the template configuration
based on the testing mode. You'll be asked to supply several network
parameters (DHCP servers, DNS servers and so on), and a basic configuration
file, /usr/local/pf/conf/pf.conf, will be created. This configuration
file contains only the differences you apply to the default configuration
parameters saved in /usr/local/pf/conf/pf.conf.defaults. Have a look at
conf/pf.conf.defaults to get an idea of the available options. To help
you see what's going on inside PacketFence, add the following lines to
/usr/local/pf/conf/pf.conf to increase the logging level:

[logging]
verbosity=8

Basic Usage

Start PacketFence with service packetfence start. Have a look at
/var/log/messages, and you should see that PacketFence started creating
an inventory of all nodes on your network, as in the following example:

/usr/local/pf/bin/pfcmd is the PacketFence command-line
interface. Executing it without any further parameters shows a help
screen with the available options. In order to show all nodes in the
database, execute:

The os and osclass reports use PacketFence's DHCP fingerprinting
feature, which tries to determine the operating system of every DHCP
request (including the ones made by printers, VoIP phones, switches
and so on).

Running:

/usr/local/pf/bin/pfcmd report os

shows the number and percentage
of nodes on your network for every detected operating system. Note that
the DHCP fingerprinting feature easily can be used to disallow
access to your network by computers running specific operating
systems.

PacketFence also features an administrative Web GUI, which, by
default, is available on the secured port 1443. Direct your browser
to https://<pf-host>:1443/. Once you enter the login/password you
defined during the installation, you can start monitoring and configuring
PacketFence through the GUI.

When you start enforcing the registration of nodes with PacketFence, all
nodes on the network have to be registered before they can gain
complete network access. This registration requirement applies
to all gear with network access, including wireless access points and
printers. So, before actually activating this option in the configuration
file, it is wise to preregister those types of devices manually.

For
computers with Web browsers, on the other hand, the registration can
be done by the user through the PacketFence captive portal. The portal
can verify login/password information through a htaccess file, Radius
or LDAP, which we use in our example. In order to do this, you need to
adapt the provided template /usr/local/pf/conf/templates/ldap.conf
to fit your LDAP structure.

Because all your users will be redirected
to the registration screen, it also is wise at this point to change
the default PacketFence logo, which is shown on the Web pages, to your
own company logo. This can be done by adding
logo=/common/mylogo.gif
to the [default] section in /usr/local/pf/conf/pf.conf and copying the
file mylogo.gif into the directory /usr/local/pf/html/common/.

To activate the registration, incorporate the following parameters into
/usr/local/pf/conf/pf.conf:

Now, restart PacketFence with service packetfence
restart.
You should see in /var/log/messages that PacketFence is trapping
unregistered nodes by ARP-spoofing your network's gateway. From the client
side, opening a Web browser and accessing any outside Web site should lead to a
redirection to the PacketFence captive portal, which allows you to register the
computer. You also can determine whether a client has been ARP-spoofed by
executing arp -n -a (under Linux) on the client and checking which MAC is
saved in the ARP cache for your network's gateway.